Pathlok, too, warned that regardless of a medium CVSS ranking of 6 out of 10, the failings might result in compliance points, citing dangers of audit failures beneath GDPR, PCI DSS, or HIPAA. SAP didn’t reply to queries on this matter.
The influence might be a lot better
Dani famous {that a} breach by means of these vulnerabilities can facilitate additional focused assaults. “Not undermining the truth that this extracted information gives attackers with sufficient gunpowder for reconnaissance actions, a menace actor might comprehend organizational construction, utilization patterns, and system configurations from the exploitation of those vulnerabilities and weaponize them for personalization assaults reminiscent of spear phishing to successfully compromise a focused consumer and perform additional assaults,” Dani mentioned.
The Pathlock analysis additionally led to the invention of a associated flaw in SAP NetWeaver AS ABAP, tracked as CVE-2025-0059, affecting SAP GUI for HTML stemming from the identical underlying problem. Whereas SAP has but to patch this variant, Pathlock is worried that patching won’t be a everlasting repair to those points.
In line with Stross, fallback mechanisms can probably undermine the up to date variations launched by SAP with stronger encryption – SAP GUI for Home windows 8.00 Patch Degree 9+ and SAP GUI for Java 7.80 PL9+ or 8.10, making them ineffective.
